From owner-freebsd-security Wed Dec 5 10:52:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id C4E9937B417; Wed, 5 Dec 2001 10:52:48 -0800 (PST) Received: from whizzo.transsys.com (#6@localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.6/8.11.6) with ESMTP id fB5IqmH95809; Wed, 5 Dec 2001 13:52:48 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <200112051852.fB5IqmH95809@whizzo.transsys.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Ruslan Ermilov Cc: Eugene Grosbein , "Crist J . Clark" , net@FreeBSD.ORG, security@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: NOARP - gateway must answer and have frozen ARP table References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com> <200112051835.fB5IZqH95521@whizzo.transsys.com> <20011205204526.B89520@sunbay.com> In-reply-to: Your message of "Wed, 05 Dec 2001 20:45:26 +0200." <20011205204526.B89520@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Dec 2001 13:52:48 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Dec 05, 2001 at 01:35:52PM -0500, Louis A. Mamakos wrote: > > Doesn't this behavior need to be on a per-interface basis? I'm wondering > > if a single sysctl is sufficient to get the desired effect. > > > No, we want ARP table to stay intact no matter which interface > sends us an update. I thought the original desire was to have a network interface which would respond to ARP requests, but only use static IP->MAC address mappings installed in the ARP table. I would imagine there are circumstances where you'd like other network interfaces on a multi-homed host to continue to operate in the "normal" fashion. While the sysctl proposed would appear to enforce that on all interfaces or none, I don't think that's nearly as useful as per-interface behavior of how IP->MAC mappings get maintained. For example, a router between some upstream transport via an ethernet and some subscriber network where this restricted ARP function is enabled. Multiple instances of the sysctl variable, per interface would be another way to go, but not easily implemented. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message